2

Regardless of docker/crio/containerd starting the container, is there a way to understand if the runc container is running as privileged one?

docker inspect does show privilegedness but I want to find out at the runc layer.

Sam Thomas
  • 647
  • 7
  • 25

1 Answers1

3

The state and the configuration of every runc container may be obtained from the $ROOT_DIR/$CONTAINER_ID/state.json file, where $ROOT_DIR is a root directory for a group of containers (usually managed by a specific higher-level runtime like Docker). For example, on my machine Docker uses the root dir /run/docker/runtime-runc/moby, thus, I can find the runc-level configuration of some container as follows:

# jq .config /run/docker/runtime-runc/moby/$CONTAINER_ID/state.json
{
  "no_pivot_root": false,
  "parent_death_signal": 0,
  "rootfs": "/var/lib/docker/overlay2/<CONTAINER_ID>/merged",
  "readonlyfs": false,
...
}

You can easily find out that this file does not contain fields like privileged. A quick search through runc source code shows that it does not have a notion of a privileged container, i.e. this is an abstraction from the higher levels. This means, in turn, that there is no simple way to determine, whether the container was started as a privileged one or not, from the runc level.

However, it is still possible to say whether the container has the same privileges as those which are granted by --privileged argument at the Docker level: the state.json file contains a list of capabilities, granted to the container; a list of device nodes, available to the container; seccomp mode and so on. From practical standpoint, it is unwise to waste your time on checking all these settings, so it is better just to look at docker inspect.

Danila Kiver
  • 3,418
  • 1
  • 21
  • 31
  • I agree with the above. But working at the runc layer lets me compatible(to an extent) with docker, containerd and cri-o – Sam Thomas Jun 05 '20 at 02:42